Cross-origin resource sharing (CORS) is a mechanism that allows resources to be requested from a domain that's outside the domain from which the request originated. In general, CORS headers are required to enable browser-based HTML5 video players to fetch video and other information from Wowza Streaming Engine™ media server software instance and to allow a website in one domain to request video from a Wowza Streaming Engine server in a different domain. This article describes how to configure CORS settings in Wowza Streaming Engine.
Configure CORS headers
This section shows how to set up CORS for streaming applications in Wowza Streaming Engine Manager. It uses the default live application as an example, but you can use these instructions for any streaming application.
- In Wowza Streaming Engine Manager, in the Applications contents panel, click live, and then click Edit.
Note: CORS headers are supported by all application types. If you want to create a new streaming application, click Add Application in the contents panel, and then the application type you want to use. Follow the instructions in the UI. - On the live application page, select Cross-origin resource sharing (CORS), and then click Save.
Customize CORS headers with application properties
After you enable CORS headers, you can add the properties to your application. Each CORS property is prefixed with a [protocol], which is either the appropriate protocol name (cupertino, sanjose, mpegdash, or smooth) or http to denote all HTTP streaming protocols.
To add any of the above CORS headers properties to a streaming application, do the following:
- In Wowza Streaming Engine Manager, click the Applications tab and then click the name of your live application (such as live) in the contents panel.
- On the application page Properties tab, click Custom in the Quick Links bar.
Note: Access to the Properties tab is limited to administrators with advanced permissions. For more information, see Manage credentials. - In the Custom area, click Edit.
- Click Add Custom Property, specify the property Path, Name, Type, and Value in the Add Custom Property dialog box, and then click Add:
- Click Save, and then restart the application.
Default CORS headers
CORS headers (Main)
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Credentials: true
- Access-Control-Expose-Headers: Date, Server, Content-Type, Content-Length
- Access-Control-Allow-Methods: OPTIONS, GET, POST, HEAD
- Access-Control-Allow-Headers: Content-Type, User-Agent, If-Modified-Since, Cache-Control, Range
CORS headers (Age)
- Access-Control-Max-Age: 60
Customize CORS headers with VHost properties
The default setting is to enable CORS headers for VHost requests that aren't serviced by an HTTP provider or application. You can adjust the default setting by adding the properties shown in the table above to your [install-dir]/VHost.xml file (You must add the properties to the last <Properties> section in VHost.xml using a text editor. Each CORS property is prefixed with a [protocol]. The following example shows a common 'options' request directed at a VHost:
<Property> <Name>optionsCORSHeadersAddMain</Name> <Value>Access-Control-Allow-Headers:X-Authorization</Value> <Type>String</Type> </Property>
Configure CORS headers for HTTP providers
Wowza Streaming Engine has built-in HTTP providers and supports custom HTTP providers that provide additional information to clients. (For more details, see HTTP providers.) By default, the built-in HTTP providers include CORS headers when providing information. You can disable this functionality on a per-provider basis by adding a specific property to the HTTP provider configuration, as shown below:
<HTTPProvider> <BaseClass>com.wowza.wms.http.HTTPServerInfoXML</BaseClass> <RequestFilters>serverinfo*</RequestFilters> <AuthenticationMethod>admin-digest</AuthenticationMethod> <Properties> <Property> <Name>httpCORSHeadersEnabled</Name> <Value>false</Value> <Type>Boolean</Type> </Property> </Properties> </HTTPProvider>
Configure CORS for Adobe Flash or Microsoft Silverlight playback
For playback on Adobe Flash or Microsoft Silverlight, CORS settings are controlled via a cross-domain policy file. The crossdomain.xml file controls cross-domain policy for Flash, and the clientaccesspolicy.xml file is the default for Silverlight. A Silverlight application, when processing a cross-domain request, first looks for a clientaccesspolicy.xml file. If clientaccesspolicy.xml isn't found, the application then looks for a crossdomain.xml file.
By default, the policy file is configured to allow any cross-domain connection. To increase security, navigate to [install-dir]/conf/crossdomain.xml or [install-dir]/conf/clientaccesspolicy.xml and edit the default wildcard (*) settings to specify which domains should have access to streams from Wowza Streaming Engine. For more information on header values in these XML files, see the Adobe Flash Cross-domain policy file specification article or the Microsoft Silverlight support article, Making a Service Available Across Domain Boundaries.